Tool lets low-end PC crash much more powerful webserver Hackers have released software that they say allows a single computer to knock servers offline by targeting a well-documented flaw in secure sockets layer implementations. A German group known as The Hacker's Choice released the tool on Monday, in part to bring attention to what they said were a series of long-running …
“The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”
So who are those sanctimonious jerks who probably know only how to wreck stuff and couldn't design anything secure if their life depended on it?
Like vandals claiming they be fightin' for the freedom of the working class.
Discovering and proving a flaw in a security product is a valuable service, IMO - unlike vandals, these guys haven't done any actual damage. By releasing the tool into the wild, this effectively forces developers to fix the hole ASAP, rather than sitting around pontificating about whether it's really important or not until it's used to do some serious damage.
I wonder if this will affect Google's apparent affection for SSL on everything - and if there's a botnet big enough to knock them offline using this technique, if they aren't already protected?
Per the THC site:
"No real solutions exists. The following steps can mitigate (but not solve)
the problem:
1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator
Either of these countermeasures can be circumventing by modifying
THC-SSL-DOS."
Surely then just limiting connection based upon src IP with renegotiation is a mitigation that can't be circumvented....unless you can spoof the traffic
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
